Description
In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure

When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo
is not freed. Add xe_bo_free(storage) before returning the error.

xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on
error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own
error paths. Otherwise, since xe_gem_prime_import() cannot distinguish
whether the failure originated from xe_dma_buf_init_obj() or from
xe_bo_init_locked(), it cannot safely decide whether the bo should be
freed.

Add comments documenting the ownership semantics: on success, ownership
of storage is transferred to the returned drm_gem_object; on failure,
storage is freed before returning.

v2: Add comments to explain the free logic.

(cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a memory leak in the Linux kernel’s DRM/xe subsystem that occurs when xe_dma_buf_init_obj() fails to free a pre‑allocated buffer object (BO) created by drm_gpuvm_resv_object_alloc(). The lost BO is not released and accumulates over time, gradually exhausting kernel memory and potentially causing a denial‑of‑service. This weakness maps to CWE‑401 (Memory Leak) and CWE‑772 (Missing Release of Resource).

Affected Systems

Affected systems are Linux kernel builds that include the DRM/xe driver before the fix commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9. All standard Linux kernels older than that commit, irrespective of vendor or distribution, contain the flaw. The patch is already present in newer kernels, such as those released after the commit and in the 7.1‑rc1 kernel in development.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity and the EPSS score of <1% signals a very low likelihood of exploitation. The flaw is not listed in CISA KEV, implying no publicly known exploit. Exploitation requires triggering the DRM DMA buffer initialization path, which is generally limited to privileged users or processes with Cap_SYS_ADMIN. Based on the description, it is inferred that the attack vector is local; a remote attacker would first need to gain privilege escalation. The eventual abuse leads to gradual kernel memory exhaustion that could reboot the system or cause a denial of service.

Generated by OpenCVE AI on June 10, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9, which removes the buffer‑object leak.
  • If an immediate kernel upgrade is not possible, disable or unload the DRM/xe driver module to stop DMA buffer initializations.
  • Monitor kernel memory usage and set thresholds to alert before exhaustion; apply throttling or restart services if memory consumption rises unexpectedly.

Generated by OpenCVE AI on June 10, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*

Fri, 29 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)
Title drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:03:55.011Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46224

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:38.037

Modified: 2026-06-10T18:55:15.930

Link: CVE-2026-46224

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46224 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:15:18Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime